2015-11-04 5:25 GMT+03:00 <billbar...@apache.org>: > Author: billbarker > Date: Wed Nov 4 02:25:05 2015 > New Revision: 1712457 > > URL: http://svn.apache.org/viewvc?rev=1712457&view=rev > Log: > Forward port r1712199 align with OpenSSL master. Just deleted the SSLeay > check since any OS I know will raise an UnsatifiedLinkError if you try to > load this with such an old version when 1.0.2x is required. Otherwise no > change if compiling against 1.0.2x > > Modified: > tomcat/native/trunk/native/src/ssl.c > tomcat/native/trunk/native/src/sslnetwork.c > tomcat/native/trunk/native/src/sslutils.c >
> Modified: tomcat/native/trunk/native/src/sslnetwork.c > URL: > http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1712457&r1=1712456&r2=1712457&view=diff > ============================================================================== > --- tomcat/native/trunk/native/src/sslnetwork.c (original) > +++ tomcat/native/trunk/native/src/sslnetwork.c Wed Nov 4 02:25:05 2015 > @@ -650,6 +650,7 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene > #endif > return APR_EGENERAL; > } > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > SSL_set_state(con->ssl, SSL_ST_ACCEPT); > > apr_socket_timeout_get(con->sock, &timeout); > @@ -669,14 +670,11 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene > break; > } > con->reneg_state = RENEG_REJECT; > -#if OPENSSL_VERSION_NUMBER < 0x10100000L > + > if (SSL_get_state(con->ssl) != SSL_ST_OK) { > -#else > - if (SSL_get_state(con->ssl) != TLS_ST_OK) { > -#endif > return APR_EGENERAL; > } > - > +#endif > return APR_SUCCESS; > } Regarding the above change in SSLSocket.renegotiate() TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS, jlong sock) As a comment there says, /* Sequence to renegotiate is * SSL_renegotiate() * SSL_do_handshake() * ssl->state = SSL_ST_ACCEPT * SSL_do_handshake() */ The change is that the second handshake attempt (starting with ssl->state) is removed on OpenSSL 1.1+. Can it be removed completely -- on the old library as well? I think that the first SSL_do_handshake() shall be enough. Actually we do not have tests for renegotiation, as org.apache.tomcat.util.net.TesterSupport does protected static boolean isRenegotiationSupported(Tomcat tomcat) { String protocol = tomcat.getConnector().getProtocolHandlerClassName(); if (protocol.contains("Apr")) { // Disabled by default in 1.1.20 windows binary (2010-07-27) return false; } if (protocol.contains("NioProtocol") || (protocol.contains("Nio2Protocol") && isMacOs())) { // Doesn't work on all platforms - see BZ 56448. return false; } return true; } Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
